CrowdStrike Integration with Beyond Identity
This guide is an overview and walkthrough of setting up CrowdStrike Falcon Insight XDR.
Overview
CrowdStrike Falcon Insight XDR provides device protection as well as security actions for administrators to manage their organizations. With Beyond Identity, administrators can restrict access using conditional access policies.
Device protection basics
The list below shows improvements to security best practices with CrowdStrike Falcon and Beyond Identity.
- Check if devices are compliant and meet security rules
- Validate if devices are registered
- Confirm proper device setup and working security tools
- Evaluate system scores for device security
Security actions available
These points cover the ways that administrators can maximize security.
- Creating rules based on policy attributes as well as security scores
- Automatic responses for devices failing checks
- Network access limits on Windows, Mac, and Linux devices
- Restricted devices only connect to approved networks
- Blocking unregistered or failing devices
Process walkthrough
The sections in this guide cover the steps to integrate Crowdstrike Falcon Insight XDR with Beyond Identity. View the summary of the overall process below.
- Enable Zero Trust Assessment (ZTA) feature flag with CrowdStrike
- Configure Beyond Identity with CrowdStrike API credentials
Prerequisites
To get started with the integration, view the following prerequisites.
Crowdstrike prerequisites
This information contains the necessary items for integrating with Beyond Identity.
- Falcon Insight XDR product
- ZTA feature flag enabled, contact CrowdStrike support team to open a case with the requests below
zta_distribute_payloadenableddata.ztafile enabled on macOS
- ZTA feature flag enabled, contact CrowdStrike support team to open a case with the requests below
- Valid API client key and client secret
- Token scope configurations to include*: hosts (read, write), zero trust assessment (read)
note
Authentication requirements*
These permissions are necessary to allow Beyond Identity to read information about the hosts within the CrowdStrike host directory. They also allow Beyond Identity to take action against devices as configured in policy and to read Zero Trust Assessment results.
Endpoint access base URLs
CrowdStrike Falcon integrations also require a tenant base URL. Accessing the API with a specific endpoint depends on your type of CrowdStrike account. View the base URLs below for relevant subdomain based on your account.
- US-1 -
api.crowdstrike.com - US-2 -
api.us-2.crowdstrike.com - US-GOV-1 -
api.laggar.gcw.crowdstrike.com - EU-1 -
api.eu-1.crowdstrike.com
Operating system compatibility
The CrowdStrike Falcon integration currently supports Windows and macOS, with Linux support under active development. The list below describes the platforms supported.
- Windows - ✅ Fully Supported
- macOS - ✅ Fully Supported
- Linux - 〰️ Under Development / Limited Support
- iOS - ❌ Not Supported
- Android - ❌ Not Supported
Steps
Follow the steps in the sections below to complete your integration for Beyond Identity and CrowdStrike.
Legend
The sections below use these two color codings to identify the steps for separate platforms. Use a separate browser window when following instructions for each platform.
🔵 Beyond Identity - Beyond Identity platform tasks are highlighted in blue.
🟠 CrowdStrike - CrowdStrike platform tasks are highlighted in orange.
🟠 Confirm ZTA enabled
The steps in this section go over verifying 🟠 CrowdStrike for ZTA features.
- Contact CrowdStrike support for ZTA access, if applicable. See CrowdStrike prerequisites section.
- Check API credentials dashboard for ZTA scope.
- Verify the
data.ztafile is populated in the locations below.- Windows -
%ProgramData%\CrowdStrike\ZeroTrustAsssessment - macOS -
/Library/Application Support/Crowdstrike/ZeroTrustAssessment
- Windows -
🟠 Configure CrowdStrike API client and copy credentials
This section covers the instructions for adding an API client in 🟠 CrowdStrike and navigating to important configuration values.
- On the CrowdStrike Falcon platform page, navigate to Support → API Clients and Keys.
- On the CrowdStrike API Clients and Keys screen, click Add new API client.
- Under the Add new API client section, enter
Beyond Identityinto the Client Name field. - Under the Description field, update the field with your information.
- Click the checkboxes for Hosts Read and Write and Zero Trust Assessment Read.
- Click Add.
- On the API client created pop up, copy the following values. These values are required to configure Beyond Identity in the next section.
CLIENT IDSECRETBASE URL
- Click Done. The Integration screen then shows CrowdStrike Falcon is connected.
🔵 Configure Beyond Identity
After configuring CrowdStrike, add the integration using the 🔵 Beyond Identity console.
- On your Beyond Identity Secure Access console home page under PLATFORM, navigate to Integrations.
- Under Integrations, click Browse Integrations.
- Click CrowdStrike.
- On the CrowdStrike page, click the Add instance button.
- On the Add integration pop up, under General, input your information for the Display Name* field. This is required.
- Under the Configure API for CrowdStrike section, paste the values from Step 7 of the previous section. Each of these values is required.
BASE URL→ Base URL*CLIENT ID→ Client ID*SECRET→ Client secret*
- Click Save Changes. This prompts the successfully added pop up and returns you to the integration page.
Policy attributes
With this integration, you can create policies to allow or deny authentication using Beyond Identity. The attributes in the table below are available by default.
| Attribute | Type | Usage | Description |
|---|---|---|---|
| Connection Available | boolean | policy | Checks whether the connection to CrowdStrike is available. |
| Device Found | boolean | policy | Verifies that the device was found in CrowdStrike. |
| Serial Number | string | policy | Device Serial Number. |
| Platform | string | policy | Operating system platform. |
| Overall ZTA Score | integer | policy | Consolidated ZTA score for both the CrowdStrike sensor configuration and the OS configuration as a value from 1 to 100. |
| Sensor ZTA Score | integer | policy | ZTA score for the CrowdStrike sensor configuration as a value from 1 to 100. |
| OS ZTA Score | integer | policy | ZTA score for the OS configuration of the device. |
| macOS Version Supported | boolean | policy | Verifies the macOS OS version is sufficiently new and is supported by CrowdStrike for compatibility and support purposes. |
| File Vault Enabled | boolean | policy | Verifies that FileVault is enabled for the device. FileVault is Apple's method of data encryption. When FileVault is enabled, the entire drive is encrypted unless accessed by user credentials. Even if a device is stolen, without a valid username and password, the data is safe. |
| SIP Enabled | boolean | policy | Verifies that System Integrity Protection (SIP) is enabled for the device. System Integrity Protection (SIP) prevents even root users from taking any action on critical system files. Enabling SIP eliminates the chance of a Mac from being subject to malicious runtime attachments. |
| Remote Login Disabled | boolean | policy | Verifies that Remote Login is disabled for the device. Disabling Remote Login prevents access to the device using Secure Shell (SSH) and admin credentials. |
| Gatekeeper Enabled | boolean | policy | Verifies that Remote Login is enabled for the device. Gatekeeper protects the device from launching malicious applications by enforcing code signing and limiting the sources that applications can be downloaded from. On macOS 10.15 and later, Gatekeeper also performs a malicious content scan and signature validation periodically to check that code has not been tampered with. |
| Application Firewall Enabled | boolean | policy | Verifies that the Application Level Firewall (ALF) is enabled for the device. Application Firewall prevents network ports from being occupied by anything other than priority applications, controlling connections for individual apps. |
| Stealth Mode Enabled | boolean | policy | Verifies that Stealth Mode is enabled for the device. Stealth Mode ensures that macOS ignores network discovery attempts from a closed Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) network. |
| Internet Sharing Disabled | boolean | policy | Verifies that Internet Sharing is disabled for all but CrowdStrike apps. Internet Sharing allows a Mac device to share a network connection with other devices. |
| System Full Disk Access Disabled | boolean | policy | System Full Disk Access allows selected apps to access data from Mail, Messages, Safari, Home, Time Machine backups, and certain administrative settings for all users on the device. This setting should be disabled for everything except CrowdStrike apps. |
| CrowdStrike Full Disk Access | boolean | policy | Verifies that the CrowdStrike agent is granted Full Disk Access to the device. CrowdStrike Full Disk Access allows CrowdStrike apps to access necessary data, info, and certain administrative settings on the device. |
| Windows OS Build Supported | boolean | policy | Verifies the Windows OS build number is sufficiently new and is supported by CrowdStrike for compatibility and support purposes. |
| KMCI Enabled | boolean | policy | Verifies that Kernel Mode Code Integrity (KMCI) is enabled on the device. Kernel Mode Code Integrity (KMCI) is enabled by default. When enabled, it ensures that all kernel mode drivers are signed. Those that are not signed cannot load. This setting requires Hypervisor Code Integrity to be enabled. |
| Firmware Is UEFI | boolean | policy | Verifies that Unified Extensible Firmware Interface (UEFI) is running on the device. This ZTA requirement ensures the host has UEFI compatible firmware irrespective of its enablement status. |
| HSTI Available | boolean | policy | Verifies that Hardware Security Testability Specifications (HSTI) is available on the device. Hardware Security Testability Specifications (HSTI) protects against misconfiguration of security features on Windows devices. It provides best effort assurance that the machine is secure by default. |
| VSM Available | boolean | policy | Verifies that Virtual Secure Mode (VSM) is available on the device. Virtualization-based security uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. |
| IOMMU Available | boolean | policy | Verifies that Input–Output Memory Management Unit (IOMMU) is available and supported on the device. Input-Output Memory Management Unit (IOMMU) offers additional security against direct memory attacks. If available, it is automatically leveraged as part of Windows Memory Access Protection. |
| Secure MOR Available | boolean | policy | Verifies that Memory Overwrite Request Control is enabled on the device. Memory Overwrite Request Control is a setting for Secure Memory Overwrite Request or Secure MOR. Secure MOR enhances Credential Guard to prevent advanced memory attacks. |
| Secure Boot Enabled | boolean | policy | Verifies that Secure Boot is enabled on the device. Secure Boot is a security standard developed by members of the PC industry to help make sure a device boots using only software that is trusted by the original equipment manufacturer (OEM). |
| UEFI Memory Protection | boolean | policy | Verifies that Unified Extensible Firmware Interface (UEFI) Memory Protection is available and enabled on the device. UEFI memory protection enhances system security by protecting memory used by the firmware. |
| MBEC Available | boolean | policy | Verifies that Mode based execution control (MBEC) is available on the device. Supported in Windows 10 version 1803 and later, Mode Based Execution Control (MBEC) provides an extra layer of protection from malware attacks in a virtualized environment. |
| SMM Protections Enabled | boolean | policy | Verifies that System Management Mode (SMM) Protections are available and enabled on the device. System Management Mode (SMM) code executes at the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. |
| IOMMU In Use | boolean | policy | Verifies that Input–Output Memory Management Unit (IOMMU) is in use on the device. Input-output Memory Management Unit (IOMMU) offers additional security against direct memory attacks. |
| Secure Kernel Running | boolean | policy | Verifies that Secure Kernel is running on the device. Secure Kernel is leveraged by virtualization-based security to secure its kernel which runs at a higher trust level than the NT kernel. |
| Credential Guard Running | boolean | policy | Verifies that Windows Defender Credential Guard is running on the device. Credential Guard uses virtualization-based security to protect your credentials. This setting requires Secure Boot, UEFI, and VBS. |
| DMA Guard Enabled | boolean | policy | Verifies that Direct Memory Access Protection (DMA) is enabled for the device. Also known as Kernel DMA Protection, Memory Access Protection prohibits direct memory access (DMA) attacks. |
| HVCI Enabled | boolean | policy | Verifies that Hypervisor Code Integrity is enabled for the device. Previously known as Device Guard, Hypervisor Code Integrity (HVCI) runs on a hypervisor, protecting against kernel attacks. |
| HVCI Strict Mode | boolean | policy | Verifies that Hypervisor Code Integrity (Strict Mode) is enabled for the device. This is an additional layer of security for Hypervisor Code Integrity. If HVCI is active, then Strict Mode is enabled by default. |
| Windows Insider Program Disabled | boolean | policy | Verifies that the Windows Insider Program is disabled for the device. This setting checks if the host is registered as part of the Windows Insider Program (WIP). |
| Test Signing Disabled | boolean | policy | Verifies that the Test Signing is disabled for the device. Test Signing allows any and all things to run on the device. It should always be disabled. |
| Debug Mode Disabled | boolean | policy | Verifies that the Debug Mode is disabled for the device. When a host is in debug mode, it is not secure. |
| Beta Build Disabled | boolean | policy | Verifies Windows Beta is disabled for the device. Undocumented Windows Betas are builds that are not officially part of Windows beta program and are not secure. |
| Script Enforcement Enabled | boolean | policy | Verifies that Script Enforcement is enabled for the device. Script Enforcement helps prevent the execution of unauthorized scripts on the system. |
| Branch Target Injection Mitigation Active | boolean | policy | Verifies that Branch Target Injection Mitigation is active on the device. This requirement monitors whether mitigations are in place to defend against branch target injection (CVE-2017-5715). |
| Branch Target Injection Mitigation Registry Allowed | boolean | policy | Verifies that Branch Target Injection Mitigation is not disabled in the registry. This requirement is based on the registry status for mitigations required to prevent branch target injection. The status for these mitigations must not be disabled in the registry. |
| Branch Target Injection Mitigation Hardware Supported | boolean | policy | Verifies that Branch Target Injection Mitigation is supported by hardware. This requirement determines if the host's hardware supports the mitigations required to prevent branch target injection. |
| Branch Target Injection Mitigation Patch | boolean | policy | Verifies that the system is patched against CVE-2017-5715. This requirement ensures the host has applied the relevant patches to prevent branch target injection. |
| Rogue Data Cache Load Mitigation | boolean | policy | Verifies that Rogue Data Cache Load Mitigations is enabled for the device. This requirement ensures mitigations are in place to defend against Rogue Data Cache Load (CVE-2017-5754). |
| Rogue Data Cache Load Mitigation Patched | boolean | policy | Verifies that the system is patched against CVE-2017-5754. This requirement ensures the host has applied the relevant patches to prevent branch target injection. |
| L1 Terminal Fault Mitigation Enabled | boolean | policy | Verifies that L1 Terminal Fault Mitigation is enabled for the device. This requirement ensures mitigations are in place to defend against L1 Terminal Fault (CVE-2018-3620). |
| Speculative Store Bypass Mitigation Available | boolean | policy | Verifies that Speculative Store Bypass Mitigation is available and active on the device. This requirement ensures the host's OS contains the mitigation for Speculative Store Bypass (CVE-2018-3639). Speculative Store Bypass Mitigation Hardware Support must be enabled. |
| Speculative Store Bypass Mitigation Hardware Supported | boolean | policy | Verifies that Speculative Store Bypass Mitigation is supported by hardware on the device. This requirement ensures the host's hardware supports the mitigation for Speculative Store Bypass, CVE-2018-3639, and that it is automatically enabled by the OS. |
| Analytics And Improvements Disabled | boolean | policy | Verifies that Analytics and Improvements reports to Apple are disabled for the device. Analytics & Improvements automatically collects diagnostics information, captured audio, crash logs, and more in order to help Apple and other third-party vendors improve their solutions. |
| Windows Insider Program Not Running | boolean | policy | Verifies that the Windows Insider Program is not running on the device. Windows Insider Program (WIP) is an open software testing program by Microsoft. It allows users who own a valid license of Windows to register for pre-release builds of the operating system previously only accessible to software developers. A device running a beta version of Windows is less secure. Additionally, the sensor might be in reduced functionality mode (RFM). |
| Additional User Mode Data Enabled | boolean | policy | Verifies that Additional User Mode Data is enabled for this device. Additional User Mode Data (AUMD) allows the sensor to gather additional data from the user-mode component by loading a library that hooks system APIs, and is a prerequisite for several Windows exploit mitigation controls. |
| Script Based Execution Monitoring Enabled | boolean | policy | Verifies that Script-Based Execution Monitoring for Windows is enabled for the device. Script-Based Execution Monitoring enables the Falcon sensor to monitor the contents of scripts and shells that are popular mechanisms for executing malicious code on hosts. This setting doesn't kill or block scripts. |
| System Firmware BIOS Enabled | boolean | policy | Verifies that system firmware and BIOS security features are enabled. This includes protections related to firmware and BIOS that help secure the boot process and system integrity. |
| ML Cloud Antimalware Detection Enabled | string | policy | Verifies that the sensor control 'Cloud ML - Cloud Anti-malware - Detection for Windows' is set to Aggressive or higher. This cloud-based machine learning setting covers file attribute analysis and file analysis. File attribute analysis aims to stop known malware that meets a specified certainty threshold. Instead of storing millions of known malware hashes on the client, CrowdStrike's Cloud antivirus (AV) feature provides real-time blocking against high-confidence known malware based on a combination of AV detection and file properties that are analyzed by the CrowdStrike cloud using machine learning. |
| ML Cloud Antimalware Prevention Enabled | boolean | policy | Verifies that the sensor control 'Cloud ML - Cloud Anti-malware - Prevention for Windows' is set to Moderate or higher. |
| ML Adware Detection Enabled | boolean | policy | Verifies that the sensor control 'Cloud ML - Adware & PUP - Detection for Windows' is set to Aggressive or higher. This control is focused on executables classified as Adware and/or as Potentially Unwanted Programs (PUPs). Adware and PUPs are often considered just a nuisance, but they can be used to install malicious files. |
| ML Adware Prevention Enabled | boolean | policy | Verifies that the sensor control 'Cloud ML - Adware & PUP - Prevention for Windows' is set to Moderate or higher. |
| ML Sensor Antimalware Enabled | boolean | policy | Verifies that the sensor control 'Sensor ML Anti-malware - Detection for Windows' is set to Aggressive or higher. Provides machine learning-based on-sensor AV protection for malicious files, including offline protection. |
| ML Sensor Antimalware Prevention Enabled | boolean | policy | Verifies that the sensor control 'Sensor ML Anti-malware - Prevention for Windows' is set to Moderate or higher. |
| Execution Blocking Custom Blocking Enabled | boolean | policy | Verifies that the sensor control 'Execution Blocking - Custom Blocking for Windows' is enabled for the device. |
| Execution Blocking Intel Threats Enabled | boolean | policy | Verifies that the sensor control 'Execution Blocking - Intelligence-Sourced Threats for Windows' is enabled for the device. When this setting is enabled, the Falcon sensor blocks high-severity detected processes that have been classified as malicious by CrowdStrike's Intelligence analysts - these are focused on high-confidence, static hash-based IOCs. Known malicious portable executable files can be any type of malware including ransomware, loaders, and keyloggers. |
| Execution Blocking Suspicious Processes Enabled | boolean | policy | Verifies that the sensor control 'Execution Blocking - Suspicious Processes for Windows' is enabled for the device. This setting blocks processes which exhibit suspicious behavior as defined by IOAs. The goal is to identify the intention of the process, and block if deemed malicious. This provides an additional level of protection in high-fidelity areas, such as PowerShell activity. |
| Execution Blocking Suspicious Registry Ops Enabled | boolean | policy | Verifies that the sensor control 'Execution Blocking - Suspicious Registry Operations' is enabled for the device. This setting blocks processes that exhibit suspicious registry-related behavior as defined by dynamic IOAs. It focuses on Autostart Extension Points (ASEPs) and security config changes. |
| Execution Blocking Suspicious Scripts Enabled | boolean | policy | Verifies that the sensor control 'Execution Blocking - Suspicious Scripts and Commands' is enabled for the device. The Falcon sensor can block some malicious operations performed by scripts and shells |
| Exploit Mitigation Force ASLR Enabled | boolean | policy | Verifies that the sensor control 'Exploit Mitigation - Force ASLR' is enabled for the device. When enabled, Address Space Layout Randomization (ASLR) bypass attempts will be detected and blocked. |
| Exploit Mitigation SEH Overwrite Protection Enabled | boolean | policy | Verifies that the sensor control 'Exploit Mitigation - SEH Overwrite Protection' is enabled for the device. This option detects and prevents exploits that attempt to gain execution by overwriting an Structured Exception Handler (SEH). This is a popular mechanism used by malicious actors for executing remote code. |
| Exploit Mitigation Heap Spray Allocation Enabled | boolean | policy | Verifies that the sensor control 'Exploit Mitigation - Heap Spray Allocation' is enabled for the device. When enabled, Heap Spray Preallocation attempts are detected and blocked. This is a popular technique for remotely hijacking browsers. |
| Exploit Mitigation Null Page Allocation Enabled | boolean | policy | Verifies that the sensor control 'Exploit Mitigation - NULL Page Allocation' is enabled for the device. NULL Page Allocation prevents the exploitation of Null Pointer dereferencing, which can be exploited when the stack pointer address is set to NULL. If the exploit also has control over adjacent memory, this could lead to remote code execution. This is a popular mechanism used by malicious actors for executing remote code. |
| Ransomware Backup Deletion Enabled | boolean | policy | Verifies that the sensor control 'Ransomware - Backup Deletion' is enabled for the device. When enabled, this detects and blocks processes that attempt to delete all volume shadow copies, that being a very popular, key tactic used by some ransomware variants. |
| Ransomware File System Access Enabled | boolean | policy | Verifies that the sensor control 'Ransomware - File System Access' is enabled for the device. File System Access prevention stops processes that are performing a high volume of file system operations, which is a behavior pattern common in ransomware. Detects and blocks generic ransomware variants. |
| Ransomware Cryptowall Enabled | boolean | policy | Verifies that the sensor control 'Ransomware - Cryptowall' is enabled for the device. When enabled, this setting blocks most known variants of Cryptowall. |
| Ransomware File Encryption Enabled | boolean | policy | Verifies that the sensor control 'Ransomware - File Encryption' is enabled for the device. File Encryption detects and blocks a process that traverses a directory and starts encrypting individual files on disk using known extensions. |
| Ransomware Locky Enabled | boolean | policy | Verifies that the sensor control 'Ransomware - Locky' is enabled for the device. When enabled, it detects and blocks most known variants of Locky ransomware. |
| Exploitation Behavior Application Exploitation Activity Enabled | boolean | policy | Verifies that the sensor control 'Exploitation Behavior - Application Exploitation Activity' is enabled for the device. This setting ensures the creation of a process, such as a command prompt (cmd.exe), from an exploited browser or browser flash plugin is blocked. |
| Exploitation Behavior Javascript Execution Rundll32 Enabled | boolean | policy | Verifies that the sensor control 'Exploitation Behavior - JavaScript Execution via Rundll32' is enabled for the device. This setting ensures JavaScript executing from a command line via rundll32.exe is prevented. This is a popular method used to bypass Microsoft AppLocker or other software restriction policies by using an allowed application to execute malicious code. |
| Exploitation Behavior Chopper Webshell Enabled | boolean | policy | Verifies that the sensor control 'Unauthorized Remote Access IOAs - Chopper Webshell' is enabled for the device. Chopper Webshell attacks occur when an attacker controls the content of a web page that's served by an organization's web server. |
| Exploitation Behavior Driveby Download Enabled | boolean | policy | Verifies that the sensor control 'Exploitation Behavior - Drive-by Download' is enabled for the device. This setting detects and blocks files written by the browser to a temp location and executed. |
| Exploitation Behavior Code Injection Enabled | boolean | policy | Verifies that the sensor control 'Exploitation Behavior - Code Injection' is enabled for the device. This setting kills processes attempting PowerShell injection into other processes. |
| Lateral Movement Credential Access Windows Logon Bypass Enabled | boolean | policy | Verifies that the sensor control 'Lateral Movement & Credential Access - Windows Logon Bypass' is enabled for the device. Detects/blocks process attempts to alter registry entry modifying on-screen keyboard execution. |
| Lateral Movement Credential Access Credential Dumping Enabled | boolean | policy | Verifies that the sensor control 'Lateral Movement & Credential Access - Credential Dumping' is enabled for the device. Detects/prevents suspicious processes stealing logins and passwords. |
| Sensor Tampering Protection Enabled | boolean | policy | Verifies that the sensor control 'Sensor Tampering Protection' is enabled for the device. Blocks attempts to tamper with the sensor, critical for preventing security evasion. |
| Interpreter Only Enabled | boolean | policy | Verifies that the sensor control 'Interpreter Only' is enabled for the device. Provides AMSI-based introspection of PowerShell engine to identify malicious script usage. |
| Engine Full Visibility Enabled | boolean | policy | Verifies that the sensor control 'Engine (Full Visibility)' is enabled for the device. Intercepts execution of PowerShell scripts from any application using PowerShell engine via DLL injection. |
| HTTP Detections Enabled | boolean | policy | Verifies that the sensor control 'HTTP Detections' is enabled for the device. The sensor detects potentially malicious HTTP traffic, suspicious URLs, downloads, or patterns. |
| Automated Remediation Enabled | boolean | policy | Verifies that the sensor control 'Remediation - Advanced Remediation' is enabled for the device. Kills processes, quarantines files, and deletes ASEP registry values for certain IOA detections. |
| Real Time Response Enabled | boolean | policy | Verifies that the sensor control 'CrowdStrike - Real Time Response for Windows' is enabled for the device. Enables responders to run commands on a host directly from Falcon console. |
| Reduced Functionality Mode Disabled | boolean | policy | Verifies that the sensor control 'Reduced Functionality Mode' is disabled. RFM is a safe mode that prevents compatibility issues but leaves hosts unprotected by Falcon. |
Additional CrowdStrike information
This section covers details from CrowdStrike for your integration.
CrowdStrike Falcon device directory matching
This integration uses Agent ID (AID), a unique and device specific identifier created by CrowdStrike. Beyond Identity collects the Agent ID from both the data.zta file and from falconctl. Beyond Identity does not use serial numbers to match devices to records.
Linux OS score
CrowdStrike reports the OS score for Linux as 0. CrowdStrike has no Linux OS assessment features.
Integration rate limits
All requests to the CrowdStrike API have rate limits. The rate limit is calculated on a sliding window. The default rate limit for requests from a valid bearer token is 6,000 requests per minute per customer account. Each request in your customer account removes one request from that pool. This applies to any API endpoint or API client used for the request.